Old tech, lack of transparency leading to cyber calamities

Old tech, lack of transparency leading to cyber calamities
© Getty

The U.S. has struggled to resume its financial prominence after the financial crisis, caught up in overcompensating regulations passed after the financial crisis and in the politically inspired resolutions of those regulations that are now unfolding.

Of critical importance is the failure to resolve entrenched financial institutions’ antiquated business models and legacy systems that impede technological advances, especially at the infrastructure level of the financial system.


We struggle to "keep our fingers in the dyke" as our financial system increasingly springs leaks, occasionally spilling over its banks. The latest cybersecurity calamity, the Equifax data breach of 143 million credit accounts, follows so many other systemic financial system "mishaps."


The short list includes:

  • Long Term Capital Management’s investment model failure;
  • multiple banks’ mortgage securitization failures;
  • the Madoff Ponzi scheme;
  • multiple exchange trading failures and "flash crashes";
  • multiple rogue trading incidents;
  • the SWIFT payment system thefts; and
  • the overselling of loan products by Wells Fargo.

The core problem is lack of transparency. Regulators cannot see the buildup of risky positions or the use of risky business practices. Financial institutions are burdened with older "legacy" systems, some going back in design to the early 1960s.

Their programming languages are not taught or understood today by the new crop of computer engineers that now inhabit financial institutions.

These outdated middle- and back-office systems can only report on transaction failures and risk triggers after the fact — days, weeks, months, even a year after events occur. This is happening while transactions are increasingly occurring at the customer-facing level in real-time.  

Over the ensuing decades, modifications were placed on top of these multiple, non-integrated legacy systems to accommodate new regulations and mergers that proliferated during this period.

During the two decade period spanning from 1984–2003, 8,122 individual bank and thrift organizations representing nearly half of the banks and thrift entities that existed in 1984, were folded into other banks through mergers and holding company purchases.

Each merger added to the complexity of the decaying technology infrastructure, as many of these were accomplished without integrating acquired systems of merged banks. Much manual contrivance was and still is necessary to mold the output from these multiple systems and multiple client databases to conform to a common regulatory reporting view.

The recent torrent of regulations now imposed on these systems never considered the technological consequences of the embedded legacy systems where risk prone "work-around" solutions were left in place to meet regulators’ accelerated implementation deadlines.

The financial system is a digital information ecosystem. Financial institutions’ products are exclusively represented by numbers and characters stored in computer memory or on computer databases. There is nothing physical in the supply chain, it’s all digital. That then argues for complete automation of the financial supply chain.

What is inhibiting the realization of this vision is the financial industry’s decades of progressive automation without global data standards. The financial industry does not have a consistent or uniform global standard for either identifying a financial market participant nor the products that they trade or own.

Transactions that are entered into at the trade or origination stage are only paid for after details of the trade are matched and verified.

With trades being executed in individual market centers with one set of participant and product identifiers in each and with no global identification system available thereafter in the middle- and back-office processes, significant problems of matching proprietary and non-standard identifiers abound.

Hundreds of financial market utilities (FMUs) have been created to reconcile differences before trades are paid for and assets are transferred.   

This process requires a minimum of a day and more often a few days before trades are reconciled and payment and ownership of assets confirmed. In the U.S., that process for corporate stocks and bonds has recently been reduced from three days to two.

This is the best practice in the financial industry today. It is not the sophisticated stealth bomber example that we always think of as the metaphor for the technological sophistication of financial institutions.

The G-20 global leaders have empowered a new standards entity, the Financial Stability Board (FSB), to establish common globally unique codes for financial market participants, financial instruments and financial transactions.

Simultaneously, projects by the International Organization of Securities Commissions and the Bank for International Settlement’s Committee on Payment and Markets Infrastructure (each organization having U.S. regulators represented) are underway to define complete data sets for each type of financial transaction.

With such enabling common data structures, multiple financial institution systems can be built using common industry infrastructure specifications. This would lower costs for everyone and provide regulators the transparency and real-time availability of transactional data to observe risks building up in the financial system.

Further, this would allow technology-based companies and leaders of such enabling technologies as cloud computing, big data analytics, artificial intelligence and distributed ledger technologies to take advantage of this regulatory initiative and innovate the reengineering of the financial system.

Digital-based financial technology (fintech) companies are already operating on the margins of the financial system, leveraging the lethargy of the legacy-minded financial institutions. However, they are being forced to arrange business relationships with these same institutions as they control the decades-old legacy systems that interface with FMUs.

FMUs control the post-trade, back-office activities of payment, clearance and settlement. To alter this dynamic, fintech firms, Social Finance and Square, are seeking industrial loan company charters and federal deposit insurance to compete directly with traditional banks.

Placing this reengineering project on the United States’ infrastructure agenda can have an enduring impact on the country's ability to control its financial system.

This is a most important consideration in the face of cybersecurity issues where hackers and rogue states may achieve economic power and steal financial resources by breaching the financial system and circumventing financial sanctions.

Allan D. Grody is the president and founder of the Financial InterGroup of companies in the U.S., which houses strategists, consultants and researchers in financial services with particular focus on bank regulation.